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Abstract 

A quantum digital signature (QDS) protocol is investigated in respect 
of an attacker who can impersonate other communicating principals in 
the style of Lowe’s attack on the Needham-Schroeder public-key authen¬ 
tication protocol. A man-in-the-middle attack is identified in respect of 
a classical variant of the protocol and it is suggested that a similar at¬ 
tack would be effective against the QDS protocol. The attack has been 
confirmed through initial protocol modelling using a automated theorem 
prover, ProVerif. 


1 Introduction 

Traditional public and private key cryptographic protocols are usually asso¬ 
ciated with the provision of conhdentiality of message communication between 
principals (usually identified as Alice and Bob) in respect of some eavesdropping 
third-party (usually identified as Eve). However, the existence of confidential 
channels of communication between principals does not of itself necessarily im¬ 
ply authenticity or integrity of the transmitted message, nor does it ensure non¬ 
repudiation of the message by the sender. Signature schemes are implemented 
to provide authenticity, integrity and non-repudiation of messages using public 
key cryptography. Additionally, Lamport one-time signature schemes [7] have 
also gained traction in practical situations where processor overhead is of prime 
concern. 

Quantum digital signatures (QDS) are a current topic for research given that 
practical (but expensive) point-to-point quantum key distribution (QKD) is 
commercially available. Dunjko et al have proposed BB84-based one-time QDS 
schemes which do not require quantum memory laa. These protocols provide 
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a QDS scheme free of the requirement for quantum memory and processing 
resources, contrasting earlier schemes of Gottesmaii and Chuang [^. 

In this paper we investigate the QDS protocol P2 of Dunjko et al by consid¬ 
eration of a classical analogy of the quantum protocol. We identify a possible 
man-in-the-middle attack on the classical digital signature protocol inspired by 
Gavin Lowe’s attack on the Needham-Schroeder protocol [H] and we propose 
a security attack on the QDS protocol by analogy. Further, we are currently 
modelling the classical P2 protocol in the Applied Pi Galculus and analysing the 
protocol using an automated theorem prover called ProVerif. We discuss some 
initial findngs from reachability experiments in support of our attacker model. 


2 Protocol P2 

Dunjko et al’s Protocol P2 is simplified and stated in classical form as follows 

0 : 

Key distribution stage 

1. For each possible future message m/ = 0,1, Alice (A) generates two dif¬ 
ferent secret keys consisting of sequences of classical bits. 

2. For each possible message m/ = 0,1, Alice sends one secret key to Bob 
{B) and the other to Charlie (C) via secure classical channels. 

3. For each signature element and for my = 0,1, Bob (Charlie) randomly 
chooses to either keep it or send it to Charlie (Bob) via a secure classi¬ 
cal channel. Essentially, Bob (Charlie) applies a bitstring mask operation 
against the key bitstring: mask {krnfB,nmjB) (resp. mask {kmfC 
where rimjB (resp. rimfc) is Bob’s (Charlie’s) chosen bitstring mask for 
future message bit m/. 


Messaging stage 

1. To send a signed one-bit message m, Alice sends {m,kmB,kmc) to Bob, 
say, where kmB,kmC are the secret keys assigned to Bob (resp. Charlie) 
corresponding to the message m. 

2. Bob checks (m, kmB, kmc) against his key and the partial key sent to him 
by Charlie and accepts if matched. 

3. Bob now forwards message {m,kmB,kmc) to Charlie and Charlie checks 
this against his key and the partial key sent by Bob and accepts if matched. 

Communication between the three principals over secure channels within the 
protocol is represented by table [T] 
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1. 

A - 

C 

2. 

A - 

B 

3. 

B - 

C 

4. 

C - 

B 

5. 

A - 

-4 B 

6. 

B - 

-4 C 


koc, kic 
koB, kiB 

mask (koB, nos), mask {kiB, nis) 
mask {koc,noc ), mask {kic,nic) 

kmB ; kjYiQ 
^7 kmB 7 kmC 


Table 1: Classical P2 protocol 


3 An attack on the P2 protocol 

In order to model the principle components of the P2 protocol we use the clas¬ 
sical statement of the protocol where point-to-point quantum channels are re¬ 
placed by secure classical channels. 


3.1 Possible attack by E against B 

We will now consider a possible man-in-the-middle attack by Eve on this pro¬ 
tocol. Eve (E) is a member of the communicating network. She is trusted suf¬ 
ficiently by the other principals so that secure communication channels can be 
established between her and her fellow principals. Eve takes control over Bob’s 
incoming and outgoing communications so that Alice and Charlie send messages 
to Eve in the belief that they are talking to Bob. Bob, on the other hand, re¬ 
ceives messages from Eve believing these messages to be originating from Alice 
or Charlie. In this position Eve can choose to flip signatures and message bits so 
that Bob receives a different message from Alice than was originally sent and yet 
Bob is able to verify the message against its attached signature. From Charlie’s 
perspective, however, the message received agrees with that which was sent by 
Alice. The details of this attack are set out below and the communications are 
presented in table [H 


Key distribution stage 

1. For each possible future message m/ = 0,1, Alice (A) generates two dif¬ 
ferent secret keys consisting of sequences of classical bits. 

2. For each possible message m/ = 0,1, Alice sends one secret key to Eve 
{E) pretending to be Bob (B) and the other to Charlie (C) via secure 
classical channels. 

3. For each possible message mf = 0,1, Eve (E) swaps the secret keys so 
that the key koB is assigned to future message bit m/ = 1 and key kiB is 
assigned to future message bit m/ = 0 (now identified as fcg^, k[g). 
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4. Bob applies random bit selection to his keys, i.e. he assigns bitstring 
masks to each key for future message m/ and sends the partial keys 
kpartQQ, kpart'^g to Eve thinking that he is commmunicating with Char¬ 
lie. 

5. Eve has knowledge of the complete keys for Bob and the partial keys so 
she is able to compute the effect of the bitstring masks on the original 
keys. She sends these “restored” partial keys kpartoB, kpartiB to Charlie 
who believes that he is receiving them from Bob. 

6. Charlie sends his masked partial keys kpartoc, kpartic to Eve in the belief 
that he is sending them to Bob. 

7. Eve swaps the partial keys sent by Charlie so that the partial key asigned 
to future message to/ = 0 is now assigned to to/ = 1 and vice versa. The 
swapped partial keys kpart'^Q, kpart'^Q are then sent to Bob. 


Messaging stage 

1. Alice sends her one bit signed message (to, kmB, kmc) to Eve thinking that 
she is communicating with Bob. 

2. Eve flips the message: to = 0 is replaced by to' = 1 (or vice versa). 

3. Bob matches the signature to the swapped key k'^g and to the swapped 
partial key from Charlie kpart'^^ and accepts if matched. 

4. Bob sends the flipped message and signatures {m',kmB,kmc) to Eve 
thinking that he is communicating with Charlie. 

5. Eve flips the message again so that to' = lis replaced by to = 0 (or vice 
versa). 

6. Charlie confirms the (original) message signature against his own signature 
and against the partial signature received from Eve (assumed to be Bob) 
which is the corrected partial signature consistent with Alice’s original 
signature. 


Result Following this attack Charlie has received the correct message to from 
Alice and has assured himself of its authenticity by verification of the signature. 
Bob has received the flipped message to' from Alice and assured himself of its 
authenticity by verification of the signature. Consequently, authenticity and 
integrity of the message have not been provided by the signature protocol. A 
similar attack can be devised against Charlie. 
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swap kQB,kiB 


1. A 

C 

: koc,kic 

2. A 

E{B) 

■ koB,kiB 

3. E (A) - 

—^ B 

■ Kb^Kb swap/ cob, fcis 

4. B 

E{C) 

: kpartQg,kpartig 

where kpartQ^ 

= mask {k'ng, 

Bob) , kpart'^Q = mask {k[g,niB) 


5. E {B) —> C : kpartoB,kpartiB swap/ cqs, 

where kpartoB = mask (/cqb, bqb) , kpartiB = mask {kiB, uib) 

6. C —> E (B) : kpartoc, kpartic 

where kpartoc = mask {koc, noc) > kpartic = mask {kic,nic) 

7. E (C) —>■ B : kpart'^Q, kpart'^Q swap partial keys 

where kpart'^f^ = mask {kic, riic ), kpart'-^^ = mask {koc, n-oc) 


8. 

A 

E{B) 

j ^mC 


9. 

E(A) - 

-)■ B 

^ 5 ^mB-i ^mC 

swap TO, not (jn) 

10. 

B 

E{C) 

^ 5 ^mB-i kmC 


11. 

E{B) - 

C 

^mB j kmC 

swap TO, not (jn) 


Table 2: Man-in-the-middle attack against B in the P2 protocol 

4 Formal modelling of the protocol and the at¬ 
tack 

Research into formal modelling of the protocol is ongoing. However, the findings 
of this paper are supported by reachability experiments performed over the 
classical P2 protocol. 

The classical P2 protocol is encoded in the Applied Pi Calculus of Abadi and 
Fournet [T], as modified by Blanchet, Smyth and others and implemented in 
ProVerif ProVerif is a powerful automated protocol verification tool for 
reachability, secrecy, correspondence properties and observational equivalence. 
Experiments are performed with the protocol model to validate the attack out¬ 
lined above. Full details of the formal modelling analysis will follow in a subse¬ 
quent paper. However, initial experiments support the existence of the attack 
as outlined above. 


5 Application to QDS 

The attack outlined above applies to the classical cryptographic interpretation of 
protocol P2. However, it can be observed that the attack involves reassignment 
of keys to future messages and application of Bob’s key mask so we suggest that 
the attack could be transferred to the QDS protocol P2 in which key distribution 
is established using quantum channels. No direct observation and subsequent 
collapse of the key distribution qubits by Eve is required. It remains an open 
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research question as to whether or not compromise to quantum P2 or indeed to 
protocol PI can be verified by formal modelling. 

In this research we have not, as yet, considered modelling using process alge¬ 
bras developed for quantum communications. We are mindful of the research 
which has been carried out in respect of quantum process algebras by Gay and 
Nagarajan with CQP [5], Feng et al with qCCS [S] but the translation of corre¬ 
spondence and reachability assertions to quantum protocol modelling has not, to 
our knowledge been established to date. Indeed there are fundamental questions 
as to the application of event labelling and process dependencies to quantum 
protocol models which require resolution before we can devise correspondence 
and reachability tests within quantum models. 


6 Conclusions 

In this paper we have presented an attack on the classical implementation of 
Dunjko et al’s signature protocol P2. The attack allows an eavesdropper to 
modify a signed message and and swap signatures within the protocol so that a 
principal is able to authenticate the message and signature even though the mes¬ 
sage has been altered. Additionally, we suggest that this attack would extend 
to a quantum digital signature version of the P2 protocol as the eavesdropper 
is not required to observe the key messages on the quantum channel. 

A detailed analysis of the classical protocol using an automated theorem prover, 
ProVerif is ongoing. Extending the work further to formal modelling and analy¬ 
sis using quantum process algebras or modifications to classical process algebras 
to encapsulate quantum processes is a further goal of this research. 
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